Date: Saturday, November 2, 2013 @ 22:41:43
Author: pierre
Revision: 198743
Backport fixes
See FS#36158
Added:
openssl/trunk/openssl-1.0.1-Check-DTLS_BAD_VER-for-version-number.patch
openssl/trunk/openssl-1.0.1-e_aes_cbc_hmac_sha1.c-fix-rare-bad-record-mac-on-AES.patch
Modified:
openssl/trunk/PKGBUILD
--------------------------------------------------------------------------+
PKGBUILD |
16 ++++-
openssl-1.0.1-Check-DTLS_BAD_VER-for-version-number.patch |
31 +++++++++
openssl-1.0.1-e_aes_cbc_hmac_sha1.c-fix-rare-bad-record-mac-on-AES.patch |
32 ++++++++++
3 files changed, 76 insertions(+), 3 deletions(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2013-11-02 21:33:11 UTC (rev 198742)
+++ PKGBUILD 2013-11-02 21:41:43 UTC (rev 198743)
@@ -6,7 +6,7 @@
# use a pacman compatible version scheme
pkgver=${_ver/[a-z]/.${_ver//[0-9.]/}}
#pkgver=$_ver
-pkgrel=4
+pkgrel=5
pkgdesc='The Open Source toolkit for Secure Sockets Layer and Transport Layer
Security'
arch=('i686' 'x86_64')
url='https://www.openssl.org'
@@ -19,12 +19,16 @@
"https://www.openssl.org/source/${pkgname}-${_ver}.tar.gz.asc";
'no-rpath.patch'
'ca-dir.patch'
- 'openssl-1.0.1e-fix_pod_syntax-1.patch')
+ 'openssl-1.0.1e-fix_pod_syntax-1.patch'
+ 'openssl-1.0.1-Check-DTLS_BAD_VER-for-version-number.patch'
+
'openssl-1.0.1-e_aes_cbc_hmac_sha1.c-fix-rare-bad-record-mac-on-AES.patch')
md5sums=('66bf6f10f060d561929de96f9dfe5b8c'
'SKIP'
'dc78d3d06baffc16217519242ce92478'
'3bf51be3a1bbd262be46dc619f92aa90'
- '88d3bef4bbdc640b0412315d8d347bdf')
+ '88d3bef4bbdc640b0412315d8d347bdf'
+ 'ae7848bb152b8834ceff30c8c480d422'
+ 'c5cc62a47cef72f4e5ad119a88e97ae4')
prepare() {
cd $srcdir/$pkgname-$_ver
@@ -35,6 +39,12 @@
patch -p0 -i $srcdir/ca-dir.patch
patch -p1 -i $srcdir/openssl-1.0.1e-fix_pod_syntax-1.patch
+ # OpenSSL 1.0.0k, 1.0.1.d, 1.0.1e fail handshake with DTLS1_BAD_VER
+ # http://rt.openssl.org/Ticket/Display.html?id=2984
+ patch -p1 -i
$srcdir/openssl-1.0.1-Check-DTLS_BAD_VER-for-version-number.patch
+ # Communication problems with 1.0.1e
+ # http://rt.openssl.org/Ticket/Display.html?id=3002
+ patch -p1 -i
$srcdir/openssl-1.0.1-e_aes_cbc_hmac_sha1.c-fix-rare-bad-record-mac-on-AES.patch
}
build() {
Added: openssl-1.0.1-Check-DTLS_BAD_VER-for-version-number.patch
===================================================================
--- openssl-1.0.1-Check-DTLS_BAD_VER-for-version-number.patch
(rev 0)
+++ openssl-1.0.1-Check-DTLS_BAD_VER-for-version-number.patch 2013-11-02
21:41:43 UTC (rev 198743)
@@ -0,0 +1,31 @@
+From 9fe4603b8245425a4c46986ed000fca054231253 Mon Sep 17 00:00:00 2001
+From: David Woodhouse <dw...@infradead.org>
+Date: Tue, 12 Feb 2013 14:55:32 +0000
+Subject: Check DTLS_BAD_VER for version number.
+
+The version check for DTLS1_VERSION was redundant as
+DTLS1_VERSION > TLS1_1_VERSION, however we do need to
+check for DTLS1_BAD_VER for compatibility.
+
+PR:2984
+(cherry picked from commit d980abb22e22661e98e5cee33d760ab0c7584ecc)
+---
+ ssl/s3_cbc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c
+index 02edf3f..443a31e 100644
+--- a/ssl/s3_cbc.c
++++ b/ssl/s3_cbc.c
+@@ -148,7 +148,7 @@ int tls1_cbc_remove_padding(const SSL* s,
+ unsigned padding_length, good, to_check, i;
+ const unsigned overhead = 1 /* padding length byte */ + mac_size;
+ /* Check if version requires explicit IV */
+- if (s->version >= TLS1_1_VERSION || s->version == DTLS1_VERSION)
++ if (s->version >= TLS1_1_VERSION || s->version == DTLS1_BAD_VER)
+ {
+ /* These lengths are all public so we can test them in
+ * non-constant time.
+--
+1.8.4.2
+
Added: openssl-1.0.1-e_aes_cbc_hmac_sha1.c-fix-rare-bad-record-mac-on-AES.patch
===================================================================
--- openssl-1.0.1-e_aes_cbc_hmac_sha1.c-fix-rare-bad-record-mac-on-AES.patch
(rev 0)
+++ openssl-1.0.1-e_aes_cbc_hmac_sha1.c-fix-rare-bad-record-mac-on-AES.patch
2013-11-02 21:41:43 UTC (rev 198743)
@@ -0,0 +1,32 @@
+From 9ab3ce124616cb12bd39c6aa1e1bde0f46969b29 Mon Sep 17 00:00:00 2001
+From: Andy Polyakov <ap...@openssl.org>
+Date: Mon, 18 Mar 2013 19:29:41 +0100
+Subject: e_aes_cbc_hmac_sha1.c: fix rare bad record mac on AES-NI plaforms.
+
+PR: 3002
+(cherry picked from commit 5c60046553716fcf160718f59160493194f212dc)
+---
+ crypto/evp/e_aes_cbc_hmac_sha1.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/crypto/evp/e_aes_cbc_hmac_sha1.c
b/crypto/evp/e_aes_cbc_hmac_sha1.c
+index 483e04b..fb2c884 100644
+--- a/crypto/evp/e_aes_cbc_hmac_sha1.c
++++ b/crypto/evp/e_aes_cbc_hmac_sha1.c
+@@ -328,10 +328,11 @@ static int aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX
*ctx, unsigned char *out,
+
+ if (res!=SHA_CBLOCK) continue;
+
+- mask = 0-((inp_len+8-j)>>(sizeof(j)*8-1));
++ /* j is not incremented yet */
++ mask = 0-((inp_len+7-j)>>(sizeof(j)*8-1));
+ data->u[SHA_LBLOCK-1] |= bitlen&mask;
+ sha1_block_data_order(&key->md,data,1);
+- mask &= 0-((j-inp_len-73)>>(sizeof(j)*8-1));
++ mask &= 0-((j-inp_len-72)>>(sizeof(j)*8-1));
+ pmac->u[0] |= key->md.h0 & mask;
+ pmac->u[1] |= key->md.h1 & mask;
+ pmac->u[2] |= key->md.h2 & mask;
+--
+1.8.4.2
+
